[Backports-security-announce] Security update for webauth

Russ Allbery uploaded new packages for webauth which fixed the following
security problem:

CVE-2009-2945

WebAuth 3.5.5 introduced a new method to probe for browser cookie
support in the WebLogin script.  Under rare circumstances, a browser
may present the test cookie when loading the login form but then not
present the cookie when submitting the form.  Because the form is
converted to a GET, the user's password becomes part of the URL and
therefore enters the browser history, where it may be exposed by
shared use of the system or through snooping attacks on browser
history.  It is also exposed in the web server logs of the WebLogin
server.  If the WebLogin confirmation page is enabled, the URL
containing the user's password may also become the referrer and be
sent by the browser in the referrer header to the web site to which
the user was authenticating, where it would be seen by that web server
and possibly logged in its server logs.

This problem affects the webauth-weblogin package. Only that component of
WebAuth is affected. The Apache modules used on individual
WebAuth-protected servers do not have to be updated.

For the lenny-backports distribution this problem has been fixed in
version 3.6.2-1~bpo50+1.

For the unstable distribution, this problem has been fixed in version
3.6.2-1.

For the stable distribution, this problem will be fixed in 3.6.0-1+lenny1,
which is being proposed for the next stable update.

Upgrade instructions

If you don't use pinning [1] you have to update the package manually via
apt-get -t lenny-backports install webauth-weblogin.

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically.

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

[1] http://backports.org/dokuwiki/doku.php?id=instructions

–
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/&gt;